Readit News logoReadit News
BobDaHacker commented on I Hacked India's Biggest Dating App (They Offered Me a $100 Gift Card)   bobdahacker.com/blog/indi... · Posted by u/IlikeKitties
IlikeKitties · 12 days ago
Kek i'm not the guy that found those vulnerabilities i just reposted what i found on 4chan. So Indian Users of this App are already fucked anyway. Maybe they get to enjoy calls from Microsoft about the viruses on their computers now too.

Anyway, if you build an app with no security at all, like this one, refuse to fix it you deserve all the consequences. And if indians can't get their shit together to hold these companies responsible for their incompetence, well sucks to be them.

BobDaHacker · 12 days ago
Yes. I really hope this teaches them a lesson and they fix it before 4chan acts but that problem won't happen. Also If I would have stayed quiet and not informed the public that the app doesnt care about your privacy, a databreach was bound to happen at some point, because they are just leaving holes for bad guys to discover.
BobDaHacker commented on I Hacked India's Biggest Dating App (They Offered Me a $100 Gift Card)   bobdahacker.com/blog/indi... · Posted by u/IlikeKitties
billy99k · 12 days ago
I've seen multiple posts from 'bobdahacker'. What you are doing here isn't difficult and in many instances, illegal (although the site in India probably wouldn't bother pressing charges). I'm in the security industry and the amount of red tape around testing and disclosure is insane.

I also would never hire you, if this is your goal. You are irresponsible for publicly disclosing these vulnerabilities that obviously haven't been fixed. Actual Hackers are now going be more likely to steal information and worse to innocent people, using the platform.

As I've always said, Hacktivists are just authoritarians with no power. You didn't get what you wanted and don't care about the innocent people affected by your actions.

BobDaHacker · 12 days ago
I do want people's privacy to be protected, this app has been insecure since day one, and they obviously don't care, it's been 9 months. I posted about it since they obviously didnt give a shit, because this will now hopefully force them to actually fix it.

Instead of fixing these issues they have been implement "ai matchmaking" like that is more important.

And these fixes aren't that hard either. Its not rocket science.

My goal is not to get hired, my goal is to hold them responsible and hopefully make them fucking fix it.

I hate companies that don't give a rats ass about their users security and waste time making ai shit instead of fixing their problems cuz they dont care.

Deleted Comment

Posted by u/BobDaHacker 13 days ago
I Hacked India's Biggest Dating App (They Offered Me a $100 Gift Card)bobdahacker.com/blog/indi...

Deleted Comment

Posted by u/BobDaHacker 13 days ago
When South Park's Restaurant Had Worse Security Than Cartman's Passwordbobdahacker.com/blog/i-ha...
BobDaHacker commented on Lovense: The Company That Lies to Security Researchers   bobdahacker.com/blog/love... · Posted by u/campuscodi
chmod775 · a month ago
Am I crazy or does all of that look ridiculously over engineered for what they actually provide? It looks like the 4-5 devs wanted to build something fancy like the big boys would, without having the manpower to deal with the overhead.

These kinds of issues usually arise because complex technologies are introduced, mostly by following some basic tutorials and light googling, without anyone actually understanding what that random NPM package (speaking a protocol of which they have at best a rudimentary understanding) actually does to communicate with the rust crate the other guy pulled.

I don't doubt their entire service could be a monolithic, small, and easily comprehensible node app running on some consumer PC hardware at the company HQ. You're never going to outgrow that in their business. It'd likely run off a macbook with some engineering discipline.

Instead it's probably a confusing mess of microservices in a Kubernetes cluster, each running in its own Docker container for "isolation", glued together with some YAML magic and a few bash scripts, tunneling XMPP over gRPC "because it's faster", behind an Istio mesh someone half-configured, talking to a bunch of managed cloud services across AWS and GCP "for redundancy", with Redis caches scattered around "just in case", logs streaming into three different observability tools (none of them fully set up), CI/CD powered by GitHub Actions triggering Terraform deployments through a Slack bot, autoscaling turned on "with default settings", and of course there's a blockchain component for audit logs - though no one remembers why - and a colocated 96-core fifteen-thousand dollar server running a cron job that updates a config file in S3 every hour "to keep things in sync".

Too bad the entire thing relies on those JIDs containing PII now, which everyone is afraid of changing. The solution? Slap another micro-service in front that translates them to something else. Devs have been unsuccessfully trying to get exactly that deployed for weeks now. But cut them some slack: getting shit done is hard when you're overqualified for your job.

BobDaHacker · a month ago
You absolutely nailed it. As the researcher who found these vulns, I can confirm the over-engineering is real.

They literally had internal user IDs (ofId) already implemented and working, but kept the email-based JIDs for "legacy support." The entire XMPP system could have used these internal IDs from day one.

The "14 months to fix" claim was even more ridiculous when you realize the fix was just... using the IDs they already had. No architectural changes needed. They even admitted they had a 1-month fix ready but chose not to deploy it.

Your microservice translation layer guess is scary accurate - that's essentially what their "v2" endpoints were trying to do. They created new HTTP endpoints that used internal JIDs instead of email-based ones, but the XMPP layer still exposed everything, making the whole effort pointless.

The best part? After going public, they implemented the "impossible" fix in 48 hours. Turns out you don't need 14 months when the Internet is watching.

BobDaHacker commented on Lovense: The Company That Lies to Security Researchers   bobdahacker.com/blog/love... · Posted by u/campuscodi
BobDaHacker · a month ago
Hi HN, I'm the researcher who found these vulnerabilities. Happy to answer questions.

A few clarifications on the technical side:

The XMPP issue wasn't just about JIDs containing emails - it was that their roster sync actively linked internal IDs to real email JIDs. Even their "v2" endpoints that tried to hide emails were useless because the XMPP layer still exposed everything.

Regarding the "14 months to fix" claim - they actually had the fix ready (they admitted they could do it in 1 month) but chose not to deploy it for "legacy support." The fix they implemented after public pressure was exactly what I suggested months ago: just use the internal IDs they already had.

The most frustrating part was discovering other researchers reported these exact bugs in 2022 and 2023. Lovense told them it was "fixed" while paying them peanuts ($350 vs the $3000 they paid me for the same bugs).

Also, to address the over-engineering comment by chmod775 - you're spot on. They had internal user IDs (ofId) the whole time but maintained this complex dual system. The "architectural complexity" was self-inflicted.

B

u/BobDaHacker

KarmaCake day7July 31, 2025View Original